Update github.com/libgit2/git2go to v31.6.1

This commit updates `github.com/libgit2/git2go` to `v31.6.1` (with
`libgit2` `1.1.1`), and changes the container image build process so
that it makes use of `ghcr.io/hiddeco/golang-with-libgit2`.

This image provides a pre-build dynamic `libgit2` dependency linked
against OpenSSL and LibSSH2 (without gcrypt), and a set of cross-compile
build tools (see
[rationale](https://github.com/hiddeco/golang-with-libgit2#rationale) and
[usage](https://github.com/hiddeco/golang-with-libgit2#usage) for more
detailed information).

The linked set of dependency should solve most known issues around
unsupport private key types, but does not resolve the issues with ECDSA*
and ED25519 hostkeys yet. Solving this requires a newer version of
`libgit2` (`>=1.2.0`), which currently does not seem to work properly
with `git2go/v32`.

Signed-off-by: Hidde Beydals <[email protected]>

Author: hiddeco

.dockerignore

@@ -0,0 +1 @@
+hack/libgit2/

.github/actions/run-tests/Dockerfile

@@ -1,19 +1,13 @@
-FROM golang:1.16-buster as builder
-
-# Up-to-date libgit2 dependencies are only available in sid (unstable).
-RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
-    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
-RUN set -eux; \
-    apt-get update \
-    && apt-get install -y libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable \
-    && apt-get clean \
-    && apt-get autoremove --purge -y \
-    && rm -rf /var/lib/apt/lists/*
+FROM ghcr.io/hiddeco/golang-with-libgit2:dev as build
 
+# Use the GitHub Actions uid:gid combination for proper fs permissions
 RUN groupadd -g 116 test && \
     useradd -u 1001 --gid test --shell /bin/sh --create-home test
 
 # Run as test user
 USER test
 
+# Set path to envtest binaries.
+ENV PATH="/github/workspace/envtest:${PATH}"
+
 ENTRYPOINT ["/bin/sh", "-c"]

.github/workflows/build.yaml

@@ -22,8 +22,11 @@ jobs:
           ${{ runner.os }}-go-
     - name: Set up kubebuilder
       uses: fluxcd/pkg/actions/kubebuilder@main
+    - name: Setup envtest
+      uses: fluxcd/pkg/actions/envtest@main
+      with:
+        version: "1.19.2"
     - name: Run tests
       uses: ./.github/actions/run-tests
       env:
         GOPATH: /github/home/go
-        KUBEBUILDER_ASSETS: ${{ github.workspace }}/kubebuilder/bin

.gitignore

@@ -27,3 +27,6 @@ bin
 *.swp
 *.swo
 *~
+
+# Exclude all libgit2 related files
+hack/libgit2/

Dockerfile

@@ -1,26 +1,18 @@
-FROM golang:1.16-buster as builder
-
-# Up-to-date libgit2 dependencies are only available in sid (unstable).
-# The libgit2 dependencies must be listed here to be able to build on ARM64.
-RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
-    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
-RUN set -eux; \
-    apt-get update \
-    && apt-get install -y libgit2-dev/unstable zlib1g-dev/unstable libssh2-1-dev/unstable libpcre3-dev/unstable \
-    && apt-get clean \
-    && apt-get autoremove --purge -y \
-    && rm -rf /var/lib/apt/lists/*
+ARG BASE_IMG=ghcr.io/hiddeco/golang-with-libgit2
+ARG BASE_TAG=dev
+FROM ${BASE_IMG}:${BASE_TAG} AS build
 
+# Configure workspace
 WORKDIR /workspace
 
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-
 # This has its own go.mod, which needs to be present so go mod
 # download works.
 COPY api/ api/
 
+# Copy modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
@@ -30,30 +22,34 @@ COPY main.go main.go
 COPY pkg/ pkg/
 COPY controllers/ controllers/
 
-# Build
-RUN CGO_ENABLED=1 go build -o image-automation-controller main.go
+# Build the binary
+ENV CGO_ENABLED=1
+ARG TARGETPLATFORM
+RUN xx-go build -o image-automation-controller -trimpath \
+    main.go
 
-FROM debian:buster-slim as controller
+FROM debian:bullseye-slim as controller
 
-LABEL org.opencontainers.image.source="https://github.com/fluxcd/image-automation-controller"
+# Configure user
+RUN groupadd controller && \
+    useradd --gid controller --shell /bin/sh --create-home controller
 
-# Up-to-date libgit2 dependencies are only available in
-# unstable, as libssh2 in testing/bullseye has been linked
-# against gcrypt which causes issues with PKCS* formats.
-RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
-    && echo "deb-src http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list
-RUN set -eux; \
-    apt-get update \
-    && apt-get install -y ca-certificates libgit2-1.1 \
-    && apt-get clean \
-    && apt-get autoremove --purge -y \
+# Copy libgit2
+COPY --from=build /libgit2/lib/ /usr/local/lib/
+RUN ldconfig
+
+# Upgrade packages and install runtime dependencies
+RUN echo "deb http://deb.debian.org/debian sid main" >> /etc/apt/sources.list \
+    && echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list \
+    && apt update \
+    && apt install --no-install-recommends -y zlib1g/sid libssl1.1/sid libssh2-1/sid \
+    && apt install --no-install-recommends -y ca-certificates \
+    && apt clean \
+    && apt autoremove --purge -y \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /workspace/image-automation-controller /usr/local/bin/
-
-RUN groupadd controller && \
-    useradd --gid controller --shell /bin/sh --create-home controller
+# Copy over binary from build
+COPY --from=build /workspace/image-automation-controller /usr/local/bin/
 
 USER controller
-
 ENTRYPOINT [ "image-automation-controller" ]

Makefile

@@ -1,5 +1,8 @@
 # Image URL to use all building/pushing image targets
-IMG ?= fluxcd/image-automation-controller:latest
+IMG ?= fluxcd/image-automation-controller
+# Image tag to use all building/push image targets
+TAG ?= latest
+
 # Produce CRDs that work back to Kubernetes 1.16
 CRD_OPTIONS ?= crd:crdVersions=v1
 
@@ -92,12 +95,12 @@ uninstall: manifests	## Uninstall CRDs from a cluster
 	kustomize build config/crd | kubectl delete -f -
 
 deploy: manifests	## Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-	cd config/manager && kustomize edit set image fluxcd/image-automation-controller=${IMG}
+	cd config/manager && kustomize edit set image fluxcd/image-automation-controller=$(IMG):$(TAG)
 	kustomize build config/default | kubectl apply -f -
 
 dev-deploy: manifests
 	mkdir -p config/dev && cp config/default/* config/dev
-	cd config/dev && kustomize edit set image fluxcd/image-automation-controller=${IMG}
+	cd config/dev && kustomize edit set image fluxcd/image-automation-controller=$(IMG):$(TAG)
 	kustomize build config/dev | kubectl apply -f -
 	rm -rf config/dev
 
@@ -123,14 +126,17 @@ vet: $(LIBGIT2)	## Run go vet against code
 generate: controller-gen	## Generate code
 	cd api; $(CONTROLLER_GEN) object:headerFile="../hack/boilerplate.go.txt" paths="./..."
 
-docker-build: test	## Build the Docker image
-	docker build . -t ${IMG}
+docker-build:  ## Build the Docker image
+	docker build \
+		--build-arg BASE_IMG=$(BASE_IMG) \
+		--build-arg BASE_TAG=$(BASE_TAG) \
+		-t $(IMG):$(TAG) .
 
 docker-push:	## Push the Docker image
-	docker push ${IMG}
+	docker push $(IMG):$(TAG)
 
 docker-deploy:	## Set the Docker image in-cluster
-	kubectl -n flux-system set image deployment/image-automation-controller manager=${IMG}
+	kubectl -n flux-system set image deployment/image-automation-controller manager=$(IMG):$(TAG)
 
 controller-gen: 	## Find or download controller-gen
 ifeq (, $(shell which controller-gen))
@@ -171,7 +177,7 @@ else
 	set -e; \
 	mkdir -p $(LIBGIT2_PATH); \
 	docker cp $(shell docker create --rm $(BASE_IMG):$(BASE_TAG)):/libgit2/Makefile $(LIBGIT2_PATH); \
-	INSTALL_PREFIX=$(LIBGIT2_PATH) LIGBIT2_VERSION=$(LIBGIT2_VER) LIBGIT2_REVISION= make -C $(LIBGIT2_PATH); \
+	INSTALL_PREFIX=$(LIBGIT2_PATH) LIGBIT2_VERSION=$(LIBGIT2_VER) make -C $(LIBGIT2_PATH); \
 	}
 endif
 

controllers/imageupdateautomation_controller.go

@@ -675,7 +675,7 @@ func push(ctx context.Context, path, branch string, access repoAccess) error {
 		if status != "" {
 			callbackErr = fmt.Errorf("ref %s rejected: %s", refname, status)
 		}
-		return libgit2.ErrOk
+		return libgit2.ErrorCodeOK
 	}
 	err = origin.Push([]string{fmt.Sprintf("refs/heads/%s:refs/heads/%s", branch, branch)}, &libgit2.PushOptions{
 		RemoteCallbacks: callbacks,

go.mod

@@ -15,13 +15,14 @@ require (
 	github.com/fluxcd/pkg/runtime v0.12.1
 	github.com/fluxcd/pkg/ssh v0.1.0
 	// If you bump this, change SOURCE_VER in the Makefile to match
-	github.com/fluxcd/source-controller v0.15.4
+	// TODO(hidde): set to tagged version of release.
+	github.com/fluxcd/source-controller v0.15.5-0.20210930103634-ac1b95090415
 	github.com/fluxcd/source-controller/api v0.15.4
 	github.com/go-git/go-billy/v5 v5.3.1
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/go-logr/logr v0.4.0
 	github.com/google/go-containerregistry v0.6.0
-	github.com/libgit2/git2go/v31 v31.4.14
+	github.com/libgit2/git2go/v31 v31.6.1
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.14.0
 	github.com/otiai10/copy v1.2.0

go.sum

@@ -358,8 +358,8 @@ github.com/fluxcd/pkg/testserver v0.1.0/go.mod h1:fvt8BHhXw6c1+CLw1QFZxcQprlcXzs
 github.com/fluxcd/pkg/untar v0.1.0/go.mod h1:aGswNyzB1mlz/T/kpOS58mITBMxMKc9tlJBH037A2HY=
 github.com/fluxcd/pkg/version v0.1.0 h1:v+SmCanmCB5Tj2Cx9TXlj+kNRfPGbAvirkeqsp7ZEAQ=
 github.com/fluxcd/pkg/version v0.1.0/go.mod h1:V7Z/w8dxLQzv0FHqa5ox5TeyOd2zOd49EeuWFgnwyj4=
-github.com/fluxcd/source-controller v0.15.4 h1:FtFkrja75qGRK05CoYf9extdQO5Z3Ts4QloBSiWaHhE=
-github.com/fluxcd/source-controller v0.15.4/go.mod h1:yv3qPWT6aNYWYXdmjTjcZmUTfgoC/c7yovcnApnGKYE=
+github.com/fluxcd/source-controller v0.15.5-0.20210930103634-ac1b95090415 h1:XrTvVFkWdFQX6GbosGNVtfreqAVqjBtFVk2cqy0uBYk=
+github.com/fluxcd/source-controller v0.15.5-0.20210930103634-ac1b95090415/go.mod h1:XPuJVVTs4eYwDWbZjaZY6JLiaNMPti+sl6LpCewEcvc=
 github.com/fluxcd/source-controller/api v0.15.4 h1:9aRcH/WKJWt7Bp954K/wzLRuiRiHuD2osvYp74GoP64=
 github.com/fluxcd/source-controller/api v0.15.4/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
@@ -683,8 +683,8 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtB
 github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/libgit2/git2go/v31 v31.4.14 h1:6GOd3965D9e/+gjxCwZF4eQ+vB9kKB4yKFqdQr6XZ2E=
-github.com/libgit2/git2go/v31 v31.4.14/go.mod h1:c/rkJcBcUFx6wHaT++UwNpKvIsmPNqCeQ/vzO4DrEec=
+github.com/libgit2/git2go/v31 v31.6.1 h1:FnKHHDDBgltSsu9RpKuL4rSR8dQ1JTf9dfvFhZ1y7Aw=
+github.com/libgit2/git2go/v31 v31.6.1/go.mod h1:c/rkJcBcUFx6wHaT++UwNpKvIsmPNqCeQ/vzO4DrEec=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=